The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 2,094 other followers

Just as “curl | sudo sh is not advised”, do not impose running http based scripts in your customers IDE

Posted by jpluimers on 2020/06/30

For a long time, it is advised against to curl | sudo sh or equivalent:

  • [WayBackwhy using curl | sudo sh is not advised? – Stack Overflow

    Because you are giving root access to whatever script you are executing. It can do a wide variety of nasty things.

  • [WayBack] The Security Spectrum of curl | sh

    By far the most irresponsible use of curl | sh is to use it with plain, unauthenticated, insecure HTTP instead of HTTPS. This is because it’s not only possible, but also increasingly likely, that the connection over which the shell script is delivered could have its contents silently modified by anyone in network position between the vendor and the installer—especially if you’re using public Wi-Fi. (If you don’t believe this is a real risk, consider that some companies’ business models revolve around modifying JavaScript delivered over HTTP in-transit—and anyone can hijack Wi-Fi with inexpensive, easy-to-obtain devices.)

So I’m surprised that companies still run content – include JavaScript – over an insecure http transport channel in their customers IDE instances.

Many developers run their IDE as Administrator, but even as regular user this is a large security risk: the transport layer is the easiest to hack and will eventually be hacked.

One such occasion was [WayBack] Delphi 10.2.3: Tools > Options Click OK = Script Error I have another weird situation with Delphi 10.2.3. Anytime I open up the options and click OK I … – Michael Riley – Google+ .

That one actually showed the script executed, but normally you do not see it happening at all.

So my advice:

Run the web-traffic from your development machines over a web-proxy like HTTP Fiddler, then disable all http based scripts.

–jeroen

Line 73: https://gist.github.com/jpluimers/40a60ca1e07bb91fa337ecfebe314d64#file-cf-common-js-L73

// CloudFlare: Common
// ===================
// We use Polyglot for translations
// ———————————
// Polyglot.js (c) 2012 Airbnb, Inc.
//
// polyglot.js may be freely distributed under the terms of the BSD
// license. For all licensing information, details, and documention:
// http://airbnb.github.com/polyglot.js
!function(e){"use strict";function t(e){e=e||{},this.phrases=e.phrases||{},this.currentLocale=e.locale||"en"}function n(e){return"shared.pluralize."+e}function o(e){var t,n,r,i={};for(t in e)if(e.hasOwnProperty(t)){n=e[t];for(r in n)i[n[r]]=t}return i}function u(e){var t=/^\s+|\s+$/g;return e.replace(t,"")}function a(e,t,n){var i,s,o;return n!=null&&e?(s=e.split(r),o=s[l(t,n)]||s[0],i=u(o)):i=e,i}function f(e){var t=o(s);return t[e]||t.en}function l(e,t){return i[f(e)](t)}function c(e,t){for(var n in t)n!=="_"&&t.hasOwnProperty(n)&&(e=e.replace(new RegExp("%\\{"+n+"\\}","g"),t[n]));return e}function h(t){e.console&&e.console.warn&&e.console.warn("WARNING: "+t)}function p(e){var t={};for(var n in e)t[n]=e[n];return t}t.VERSION="0.2.0",t.prototype.locale=function(e){return e&&(this.currentLocale=e),this.currentLocale},t.prototype.extend=function(e){for(var t in e)e.hasOwnProperty(t)&&(this.phrases[t]=e[t])},t.prototype.clear=function(){this.phrases={}},t.prototype.replace=function(e){this.clear(),this.extend(e)},t.prototype.t=function(e,t){var n;t=t||{};var r=this.phrases[e]||t._||"";return r===""?(h('Missing translation for key: "'+e+'"'),n=e):(t=p(t),t.smart_count!=null&&t.smart_count.length!=null&&(t.smart_count=t.smart_count.length),n=a(r,this.currentLocale,t.smart_count),n=c(n,t)),n},t.prototype.pluralize=function(e,t){t!=null&&t.length!=null&&(t=t.length);var r=n(e);return this.t(r,{smart_count:t})};var r="||||",i={chinese:function(e){return 0},german:function(e){return e!==1?1:0},french:function(e){return e>1?1:0},russian:function(e){return e%10===1&&e%100!==11?0:e%10>=2&&e%10<=4&&(e%100<10||e%100>=20)?1:2},czech:function(e){return e===1?0:e>=2&&e<=4?1:2},polish:function(e){return e===1?0:e%10>=2&&e%10<=4&&(e%100<10||e%100>=20)?1:2},icelandic:function(e){return e%10!==1||e%100===11?1:0}},s={chinese:["id","ja","ko","ms","th","tr","zh"],german:["da","de","en","es","fi","el","he","hu","it","nl","no","pt","sv"],french:["fr","tl"],russian:["hr","ru"],czech:["cs"],polish:["pl"],icelandic:["is"]};typeof module!="undefined"&&module.exports?module.exports=t:e.Polyglot=t}(this);
(function($, Polyglot, window, navigator, undefined){
var polyglot = window.polyglot = new Polyglot();
// Process tranlations
function translate( json ){
if( !json ){ return false; }
polyglot.extend( json );
$.each( polyglot.phrases, function( key, val ){ $('[data-translate='+key+']').html( val ); });
}
// Piece links back together if they were split apart
function unobfuscateLinks(){
$('a[data-orig-ref]').each(function(){
var $el = $(this),
proto = $el.data('orig-proto') || '',
url = $el.data('orig-ref') || '';
url = (proto.length ? proto+'://' : '') + url;
$el.attr('href', url );
});
}
$('html')
// Let everything know that JS is ready/enabled
.toggleClass('no-js js')
// Hide all HTML content until the DOM is ready (used to prevent translation text from flashing)
.css({ 'visibility' : 'hidden', 'opacity': 0 });
// Once the DOM is ready
$(function(){
var alertContainer = $('<label/>',{'class':'alert alert-error'}),
languageSelect = $('#lang-selector');
// Process translations if it exists
if( window._cf_translation ){
// Setup the translation object, run through all translations, and show the body again
polyglot.locale = window._cf_translation.locale;
translate( window._cf_translation.blobs );
languageSelect.val( polyglot.locale );
}
// Translate obfuscated links back to clickable links.
unobfuscateLinks();
// Show the page to the user
$('html').css({ 'opacity': 1, 'visibility' : 'visible' });
// Go grab the requested language
languageSelect.on('change', function( evt ){
var lang = evt.target.value;
if( lang ){
$.getJSON('/cdn-cgi/scripts/lang/waf/'+lang+'.json', function( data ){
polyglot.locale = lang;
translate( data );
});
}
});
// If cookies aren't enabled, let the visitor know
if( !navigator.cookieEnabled ){
$('#cookie-alert').show();
}
});
})( window.$, window.Polyglot, window, navigator );

view raw
cf.common.js
hosted with ❤ by GitHub

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

 
%d bloggers like this: